b"                         UNCLASSIFIED\n\n                United States Department of State\n              and the Broadcasting Board of Governors\n                   Office of Inspector General\n\n\n\n\n            Memorandum Report\n\n          Information Security Program Evaluation:\n              Broadcasting Board of Governors\n\n\n\nReport Number IT/A-02-07, September 2002 (UNCLASSIFIED VERSION)\n\n\n\n\n                        UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n                            MEMORANDUM REPORT IT-A-02-07\n\n                           Information Security Program Evaluation:\n\n                                 Broadcasting Board Of Governors\n\n                                               September 2002\n\n\n\nIn response to the Government Information Security Reform Act (GISRA),1 the\nOffice of Inspector General (OIG) performed an independent review and evalua-\ntion of the information security program of the Broadcasting Board of Governors\n(BBG). GISRA provides: (1) a comprehensive framework for establishing and\nensuring the effectiveness of controls over information technology resources; and\n(2) a mechanism for improved oversight of federal agency information security\nprograms. The specific objective of OIG's review was to determine whether BBG\nis effectively implementing the requirements of GISRA. The purpose, scope, and\nmethodology for OIG's review are discussed in appendix A.\n\n\n\nRESULTS IN BRIEF\nOIG's evaluation of the effectiveness of the BBG's information security program\nconcluded that BBG has made progress, but more must be done to comply with\nGISRA. BBG has developed an agency-wide information security program, and it\nhas performed program-level self-assessments and documented the results of its\nself-assessments in its quarterly reporting of the agency's plans of action and\nmilestones to the Office of Management and Budget (OMB). Included in this\nreporting was the identification of 37 information security weaknesses, of which\n20 have been corrected. Also, BBG is in the process of hiring a contractor to\ndevelop and revise required information security-related policies and procedures to\nsatisfy its needs.\n\n    OIG also found several key areas of security that still require management\nattention. Specifically, it found that BBG needs to develop an incident response\nprocess and reporting procedures to share information effectively on common\nvulnerabilities and threats. Also, OIG concluded that BBG lacks security and\ncontingency plans at the systems and major application level and needs to develop\n\n 1\n     Public Law No. 106-398, Div. A, Title X, Subtitle G., 114 Stat. 1654A (2000), 44 U.S.C. 3531 et seq.\n\n\nOIG Report No. IT/A-02-07, Information Security Program Evaluation: Broadcasting Board of Governors, September 2002   1 .\n\n                                            UNCLASSIFIED\n\x0c                                          UNCLASSIFIED\n\n\n\n      these plans to meet its information security requirements and comply with GISRA.\n      Lastly, OIG found that BBG lacks an information security training program and\n      must develop and implement a program that addresses the needs of the agency and\n      its employees.\n\n\n\n      BACKGROUND\n      The U.S. International Broadcasting Act of 19942 created BBG as a self-governing\n      element within the former United States Information Agency, which provided some\n      administrative, technical, and management support to BBG. The Foreign Affairs\n      Reform and Restructuring Act of 19983 granted BBG independence from the\n      United States Information Agency on October 1, 1999. BBG is responsible for\n      overseeing all U.S. government-funded, civilian broadcasting, including the opera-\n      tions of the International Broadcasting Bureau (IBB), which includes the broad-\n      casting entities of Voice of America (VOA), WorldNet Television and Film Ser-\n      vice, and Office of Cuba Broadcasting. BBG also oversees two grantee organiza-\n      tions: Radio Free Europe/Radio Liberty and Radio Free Asia.\n\n          Information security is an important consideration for any organization that\n      depends on information systems and information networks to carry out its mission\n      or business. Information-supported government operations, including those at\n      BBG are at increased risk. The dramatic expansion and rapid increase in the use of\n      the Internet has changed the way the U.S. government communicates and conducts\n      business. However, without proper safeguards, this widespread interconnectivity\n      poses significant risks to the infrastructure it supports and makes it easier for\n      individuals and groups to eavesdrop on or interfere with government operations,\n      obtain sensitive information, commit fraud, disrupt operations, or launch attacks\n      against other information networks and systems.\n\n          Faced with growing concerns about information security risks to the federal\n      government, the Congress passed and President signed GISRA into law in late\n      2000. GISRA provides: (1) a comprehensive framework for establishing and\n      ensuring the effectiveness of controls over information resources that support\n      federal operations and assets; and (2) a mechanism for improving oversight of\n      federal agency information security programs. Specifically, GISRA requires each\n      agency to:\n\n      2\n          Public Law 103-236, Title III, Sec. 314.\n      3\n          Public Law 105-277, Division G.\n\n\n\n2 .         OIG Report No. IT/A-02-07, Information Security Program Evaluation: Broadcasting Board of Governors, September 2002\n\n\n                                          UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n\xe2\x80\xa2    identify, use, and share best security practices;\n\xe2\x80\xa2    develop an agency-wide information security plan;\n\xe2\x80\xa2    incorporate information security principles and practices throughout the life\n     cycles of the agency's information systems; and\n\xe2\x80\xa2    ensure that the information security plan is practiced throughout all life cycles\n     of the agency's information systems.\n    In addition, GISRA assigns the agency's Chief Information Officer (CIO) the\nauthority to administer key functions under the statute, including:\n\xe2\x80\xa2    designating a senior information security official who reports to the CIO;\n\xe2\x80\xa2    developing and maintaining an agency-wide information security program;\n\xe2\x80\xa2    ensuring that the agency effectively implements and maintains information\n     security policies, procedures, and control techniques; and\n\xe2\x80\xa2    training and overseeing personnel with significant responsibilities for informa-\n     tion security.\n    Finally, in addition to a number of other provisions, GISRA requires that each\nagency have an annual independent evaluation performed of its information\nsecurity program and practices. OIG or the independent evaluator performing a\nreview may use any audit, evaluation, or report relating to the effectiveness of the\nagency's information security program. The agency is required to submit the\nindependent evaluation, along with its own assessment, to OMB as part of its\nannual budget request.\n\n\n\nOVERVIEW OF BROADCASTING BOARD OF GOVERNORS\nINFORMATION SECURITY PROGRAM\nBeginning early in 2001, BBG initiated a formal agency information security\nprogram to include the assignment of responsibilities, development of system\nsecurity plans, and establishment of policies and procedures. BBG's information\nsecurity program plan, issued in September 2001, identifies the CIO as the overall\naccountable official responsible for establishing agency information management\npolicy and the agency information security program. In addition, the plan recog-\nnizes five functional areas4 within BBG's overall structure and designates the\ndirectors of these areas as program officials with responsibilities for developing and\n\n4\n The five functional areas consist of Office of Computing Services, Office of Cuba Broadcasting, Office\nof Internet Development, Office of Engineering and Technical Services, and VOA Broadcast Operations.\n\nOIG Report No. IT/A-02-07, Information Security Program Evaluation: Broadcasting Board of Governors, September 2002   3 .\n\n                                            UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n      implementing a risk management-based security program to protect the information\n      and information systems under their control. Lastly, the plan establishes a broad-\n      cast technology steering committee responsible for providing integrated technology\n      to the agency for all operational and administrative activities.\n\n          To address the GISRA requirements for developing system-level security plans\n      and performing program and system-level self-assessment reviews of general\n      support systems5 and major applications,6 BBG formed five functional areas. In\n      each functional area, the program manager grouped all systems and applications\n      together under one system security plan and performed an annual program-level\n      review of the functional area. The results of the self-assessments were then\n      compiled and reported in the agency's plans of action and milestones (POA&M).\n      Under GISRA, the POA&M must reflect all known security weaknesses within an\n      agency, and be used as the authoritative management mechanism to prioritize,\n      track, and manage all agency efforts to close security performance gaps.\n\n\n\n      REVIEW FINDINGS\n      Self-Assessments Need To Be Documented\n\n          BBG performed security self-assessments on its information systems in FY\n      2001, but the methodology and scope for the assessments were not documented.\n      At the time of this review, BBG had not completed its FY 2002 self-assessment\n      reviews. However, the CIO told OIG that these assessments will be completed\n      using National Institute of Standards and Technology (NIST) guidance by the end\n      of FY 2002. GISRA requires annual reviews of each agency-wide security program\n      and system by senior management officials to ensure the protection of agency\n      systems and data contained within the systems. The depth and breadth of the\n      annual reviews depends on the risk to the system, completeness of prior reviews,\n      and adequacy of the agency POA&M.\n\n          In FY 2001, BBG's five functional area managers completed self-assessment\n      reviews and documented 36 information security weaknesses in BBG's POA&M.\n      During FY 2002, one additional weakness was identified and corrected, while 19\n      of the original weaknesses were also corrected. Table 1 shows by control category,\n\n      5\n        OMB Circular No. A-130, Appendix III defines a general support system as a set of interconnected\n      information resources under the same direct management control and to share common functionality.\n      6\n        OMB Circular No. A-130, Appendix III defines a major application as an application that requires spe-\n      cial security attention because of the potential risk or harm from its loss, misuse, or unauthorized access.\n\n4 .      OIG Report No. IT/A-02-07, Information Security Program Evaluation: Broadcasting Board of Governors, September 2002\n\n\n                                       UNCLASSIFIED\n\x0c                                                                                                                                                                         UNCLASSIFIED\n\n\n\n                        the 17 remaining weaknesses defined in BBG's POA&M. For a detailed exhibit of\n                        BBG's information security weaknesses by functional area, see appendix B.\n\n                        TABLE 1: BROADCASTING BOARD OF GOVERNORS INFORMATION\n                        SECURITY CONTROL WEAKNESSES\n\n\n\n\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                    Control Objectives                                                                                                                                                                                                                                                                                   Total Weaknesses\n\n\n\n\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                    Management Controls\n\n\n\n\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                     Risk Management                                                                                                                                                                                                                                                                                                             4\n\n\n\n\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n\xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b        \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b    \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b\n\n\n\n\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                    Operational Controls\n\n\n\n\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                     Physical and Environmental Protection                                                                                                                                                                                                                                                                                       1\n\n\n\n\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                     Contingency Planning                                                                                                                                                                                                                                                                                                        2\n\n\n\n\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                     Data Integrity                                                                                                                                                                                                                                                                                                              2\n\n\n\n\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                     Documentation                                                                                                                                                                                                                                                                                                               1\n\n\n\n\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                     Security Awareness, Training, and Education                                                                                                                                                                                                                                                                                 1\n\n\n\n\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n    \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b        \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b       \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b    \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b   \xe2\x97\x8b\n\n\n\n\n                    Technical Controls\n\n\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                      Identification and Authentication                                                                                                                                                                                                                                                                                          2\n\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                      Logical Access Controls                                                                                                                                                                                                                                                                                                    3\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n\n\n\n\n                      Audit Trails                                                                                                                                                                                                                                                                                                               1\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n\n\n\n\n                    Total Control Weaknesses                                                                                                                                                                                                                                                                                                     17\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n                                                                                                                                                                                                                                                                                                         \xe2\x97\x8b\n\n\n\n\n                        BBG Lacks Adequate Information Security\n                        Policies and Procedures\n\n                             OIG found that BBG's information security policies and procedures were\n                        outdated and incomplete. Agencies are required by GISRA to develop and imple-\n                        ment security policies, procedures, and controls, which provide each system with\n                        security protections equal to the risk of system operations. In a recent risk assess-\n                        ment, an independent contractor reported that IBB lacked defined security policies\n                        to address configuration management and installation of non-mission related\n                        software. BBG's information security program includes issue-specific policies, such\n                        as issuing e-mail reminders to information users about viruses, electronic mail\n                        attachments, installation of user software, participation in chat rooms, and security\n                        threats. Still, OIG found that employees lacked an awareness of the policies that\n                        do exist on the rules of behavior, incident reporting, and specific issues policies. In\n                        one functional area, employees were found to be using government equipment for\n                        their own personal use and visiting prohibited websites.\n\n\n                        OIG Report No. IT/A-02-07, Information Security Program Evaluation: Broadcasting Board of Governors, September 2002                                                                                                                                                                                                                                           5 .\n\n                                                                                                                                                                         UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n          At the time of this review, BBG's management was in the process of hiring a\n      contractor to develop and update its information system security policies and\n      procedures. Effective implementation of security policies will help BBG manage-\n      ment in addressing information security issues and ultimately result in the develop-\n      ment and implementation of an improved information security program and protec-\n      tion of systems and information. It is not clear when BBG's new or updated\n      policies and procedures will be finalized.\n\n      BBG Incident Response and Reporting\n      Inadequate\n\n          OIG found that BBG lacked an information security incident response process\n      and had no external security incident reporting procedures. GISRA requires that\n      agencies have procedures in place for detecting, reporting, and responding to\n      security incidents. Toward that end, BBG's agency-wide information security\n      program plan calls for each of its five functional area program officials to develop\n      incident response and reporting procedures. However, four of the five program\n      officials reported that the procedures had not been developed. The BBG informa-\n      tion security program plan states that incidents should be reported to the CIO and\n      the Office of Computing Services so that they can determine whether law enforce-\n      ment agencies and the General Services Administration's (GSA) Federal Computer\n      Incident Response Center need to be notified. However, only one of the five BBG\n      functional areas overseeing information technology (IT) security has documented\n      procedures in place to react to information security incidents.\n\n          BBG officials informed OIG of only four information security incidents that\n      occurred during FY 2001 and FY 2002, none of which was reported outside the\n      agency. Two of the incidents were not reported outside the functional area where\n      they occurred. In two of the four instances, several thousand dollars were spent\n      bringing in outside consultants to evaluate the damage caused by the incidents and\n      to perform a risk assessment of the functional area information systems and major\n      applications.\n\n\n         Recommendation 1: OIG recommends that the Broadcasting Board of Gov-\n         ernors direct its Chief Information Officer to develop an agency-wide inci-\n         dent response capability and formal security incident reporting procedures for\n         its information systems.\n\n\n\n\n6 .      OIG Report No. IT/A-02-07, Information Security Program Evaluation: Broadcasting Board of Governors, September 2002\n\n\n                                       UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n     BBG Response\n\n    In commenting on a draft of this report (see appendix C), BBG concurred with\nthis recommendation. BBG noted that procedures exist for reporting within the\nagency; however, they need to be more detailed and uniformly applied.\n\n     OIG Comments\n\n    OIG accepts this response and considers this recommendation resolved. OIG\nnotes that GISRA requires that procedures include the notification of law enforce-\nment officials and other offices and authorities, and consultation with the Federal\nComputer Incident Response Center. The center assists agencies with incident\nprevention and response. A lack of agency reporting procedures to the Federal\nComputer Incident Response Center hampers its ability to determine the scope of\nthe threat to the Federal government and may affect other agencies and Depart-\nments. As noted in its response, BBG's procedures should support an agency-wide\nincident response capability and include required reporting outside the agency.\nBBG should provide OIG with its formal security incident reporting procedures for\nconsideration in closing this recommendation.\n\nSystem Security Plans Not Developed\n\n    OIG found that BBG had not developed security plans at the systems or major\napplication level. Further, OIG found that BBG's approach to developing system\nsecurity plans was flawed because it focused solely on functional areas and not\nindividual systems. System security plans, which are required by GISRA, provide\nan overview of system security requirements, describe established system controls,\nand provide a means for improving the protection of information technology\nresources. During the latter part of FY 2001, BBG completed security plans for\neach of its five functional areas. However, it did not develop separate plans for\neach of the systems within these functional areas. For example, OIG found that\none functional area grouped 20 of BBG's 31 reported systems for FY 2002 under\none security plan. As shown in table 2, not one plan addresses each of 14 key\nelements of a security plan. In addition, five of the 14 elements are not addressed\nby BBG's five functional area system security plans.\n\n\n\n\nOIG Report No. IT/A-02-07, Information Security Program Evaluation: Broadcasting Board of Governors, September 2002   7 .\n\n                                            UNCLASSIFIED\n\x0c                                                 UNCLASSIFIED\n\n\n\n               TABLE 2: GENERAL SUPPORT SYSTEMS AND MAJOR APPLICATIONS\n\n                 General Support Systems                                                           Major Applications\n\n\n\n\n                                           \xe2\x97\x8b\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n                                           \xe2\x97\x8b\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n  OMB Circular No.                             Controls Contained                OMB Circular No.                      Controls Contained\n\n\n\n                                           \xe2\x97\x8b\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n  A-130 Requirement                             in Security Plan                 A-130 Requirement                      in Security Plan\n\n\n                                           \xe2\x97\x8b\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n                                           \xe2\x97\x8b\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n                                           \xe2\x97\x8b\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n                                           \xe2\x97\x8b\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n                                           \xe2\x97\x8b\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n  Rules of the System                      \xe2\x97\x8b           No                        Application Rules                            No\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n  Training                                           Partially                   Specialized Training                      Partially *\n                                           \xe2\x97\x8b\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n                                           \xe2\x97\x8b\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n  Personnel Controls                                   No                        Personnel Security                        Partially **\n                                           \xe2\x97\x8b\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n  Incident Response Capability                       Partially                   Contingency Planning                      Partially *\n                                           \xe2\x97\x8b\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n  Continuity of Support                              Partially                   Technical Controls                         Partially\n                                           \xe2\x97\x8b\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n                                           \xe2\x97\x8b\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n  Technical Security                                 Partially                   Information Sharing                          No\n                                           \xe2\x97\x8b\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n  System Interconnections                              No                        Public Access Controls                     Partially\n                                           \xe2\x97\x8b\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n                                           \xe2\x97\x8b\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n                                           \xe2\x97\x8b\n\n\n\n\n                                                                                                                   \xe2\x97\x8b\n      * Two of three functional area security plans mentioned specialized training and contingency planning.\n      ** One of three functional area security plans mentioned personnel security\n\n\n\n\n                   BBG also reported on 23 systems in FY 2001 that were not reported under any\n               of the functional areas in FY 2002. BBG could not provide OIG with information\n               on these systems, including whether it had developed security plans for them.\n\n\n                   Recommendation 2: OIG recommends that the Broadcasting Board of Gov-\n                   ernors direct its Chief Information Officer to develop security plans to ad-\n                   dress the information security requirements of each system.\n\n\n                    BBG Response\n\n                   In its written comments, BBG states that it initially designated five systems\n               within the BBG for GISRA purposes and a security plan has been developed for\n               each. Therefore, according to BBG, the objective of this recommendation would\n               seem to have been met. BBG also states that OIG's recommendation appears to be\n               based upon the assertion that the BBG had 31 reported systems for FY 2002.\n               Further, BBG states that it had designated five systems and reported 31 different\n               applications in use within these systems. BBG also states that an agency contractor\n               recently concluded an analysis of one of the agency systems and recommended\n               that consideration be given to dividing it into four separate domains.\n\n\n\n\n8 .                OIG Report No. IT/A-02-07, Information Security Program Evaluation: Broadcasting Board of Governors, September 2002\n\n\n                                                 UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n     OIG Comment\n\n    BBG is not correct in its statement that the objective of this recommendation\nappears to have been met. OIG's analysis of the functional area security plans\nfound that a total of 31 systems or applications were distributed across the five\nfunctional areas designated by the BBG. BBG management informed OIG of its\nintent to group all systems within a functional area under one security plan regard-\nless of the systems' functions. This approach, OIG believes, does not meet\nGISRA's requirements for system security plans. Further, as OIG notes in its\nreport, BBG has 23 other systems that are not reported under any of the functional\nareas in FY 2002. These systems as well may need security plans in accordance\nwith GISRA.\n\nInformation System Contingency Plans Needed\n\n     OIG found that BBG lacks system or major application contingency plans to\nsupport all of its information technology operations. As required by OMB Circular\nA-130, contingency plans ensure an agency's ability to recover from a disruption\nand provide service sufficient to meet the minimal needs of users. They are essen-\ntial in the event of a power outage, hardware failure, fire, storm, or malicious\nintrusion.\n\n   OIG found that BBG functional areas were in different stages of IT contin-\ngency plan development. Specifically, the stages were:\n\xe2\x80\xa2    one functional area was revising its contingency plan;\n\xe2\x80\xa2    two functional areas were developing their contingency plans;\n\xe2\x80\xa2    one functional area was relying upon a contract provider to have a contin-\n     gency plan in place; and\n\xe2\x80\xa2    one functional area was doing nothing to develop a contingency plan.\n  Contingency planning at the functional level was identified as a weakness by\nBBG's self-assessment in FY 2001, and it remains a weakness identified in its\nPOA&M.\n\n\n    Recommendation 3: OIG recommends that the Broadcasting Board of Gov-\n    ernors direct the Chief Information Officer to ensure that all functional areas\n    and key systems and major applications have information technology contin-\n    gency plans.\n\n\n\nOIG Report No. IT/A-02-07, Information Security Program Evaluation: Broadcasting Board of Governors, September 2002   9 .\n\n                                            UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n          BBG Response\n\n          The BBG concurs with this recommendation.\n\n          OIG Comment\n\n           OIG accepts this response and considers this recommendation resolved. BBG\n       should provide OIG with copies of its information technology contingency plans\n       for functional areas, key systems and major applications for consideration in closing\n       this recommendation.\n\n       Need for an Information Security Training\n       Program\n\n           OIG found that BBG does not have an information security training program.\n       BBG officials were not able to provide OIG with any statistical data on informa-\n       tion security training that showed the classes taken, which employees took the\n       classes, or the associated cost. Although the BBG Information Security Program\n       Plan acknowledges the need for information security training and assigns the Office\n       of Computing Services responsibility for developing and implementing an informa-\n       tion security education program, BBG officials reported that no specific informa-\n       tion security training was taking place. These officials stated that orientation\n       training for new employees included an information awareness component; how-\n       ever, no employees OIG spoke with could recall such a component when they\n       completed orientation. Also, neither the BBG training office nor the Office of\n       Security was aware of having implemented initial or refresher information security\n       training for employees.\n\n\n          Recommendation 4: OIG recommends that the Broadcasting Board of Gov-\n          ernors, through its Chief Information Officer and training office director, de-\n          velop and implement an information security training program that addresses\n          the needs of all system users.\n\n\n          BBG Response\n\n          The BBG concurs with this recommendation.\n\n\n\n\n10 .      OIG Report No. IT/A-02-07, Information Security Program Evaluation: Broadcasting Board of Governors, September 2002\n\n\n                                        UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n     OIG Comment\n\n   OIG accepts this response and considers this recommendation resolved. BBG\nshould provide OIG with a copy of its information security training program for\nconsideration in closing this recommendation.\n\n\n\n\nOIG Report No. IT/A-02-07, Information Security Program Evaluation: Broadcasting Board of Governors, September 2002   11 .\n\n                                            UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n\n\n12 .   OIG Report No. IT/A-02-07, Information Security Program Evaluation: Broadcasting Board of Governors, September 2002\n\n\n                                     UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n                                                                                                      Appendix A\n\n\n\nPURPOSE, SCOPE, AND METHODOLOGY\nSection 3535 of GISRA directs each agency to conduct an annual independent\nevaluation of its information security program and practices beginning in FY 2001.\nIn response to GISRA, OIG conducted a review with the specific objectives to: (1)\nidentify the BBG policies and procedures for securing information on its informa-\ntion systems; and (2) determine whether BBG is complying with GISRA with\nregard to establishing and ensuring the effectiveness of controls over information\nresources. For its 2002 report on GISRA, the OIG evaluated BBG's progress in\nimplementing the requirements of the law.\n\n    To fulfill the review objectives, OIG met with BBG officials from IBB, VOA,\nOffice of Cuba Broadcasting and system owners and information system security\nofficers from the Department of State whose systems connect to BBG systems.\nOIG did not conduct a detailed review of BBG's grantee organizations, Radio Free\nEurope/Radio Liberty, and Radio Free Asia. They are private, nonprofit organiza-\ntions that own and operate their own information technology systems.\n\n    In addition to interviews with appropriate BBG management and staff, OIG\nperformed a detailed analysis of BBG's system security plans and information\nsecurity program. OIG collected other relevant supporting information technology\ndocumentation as appropriate. OIG obtained written comments on a draft of this\nreport and revised the report where appropriate. The BBG's comments are in-\ncluded in appendix C. Staff from OIG's Information Technology Evaluation Area\nperformed this evaluation from February 2002 through July 2002. Contributors to\nthis report were Frank Deffer, James Davies, Anthony Carbone, Matthew Worner,\nand Heather Rogers. Comments or questions about the report may be directed to\nMr. Deffer at defferf@state.gov or at (703) 284-2715 or to Mr. Davies at\ndaviesj@state.gov or at (703) 284-2673.\n\n\n\n\nOIG Report No. IT/A-02-07, Information Security Program Evaluation: Broadcasting Board of Governors, September 2002   13 .\n\n                                            UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n\n\n14 .   OIG Report No. IT/A-02-07, Information Security Program Evaluation: Broadcasting Board of Governors, September 2002\n\n\n                                     UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n                                                                                                                      Appendix B\n                                          Agency Comments\n\n\n\n\nOIG Report No. IT/A-02-07, Information Security Program Evaluation: Broadcasting Board of Governors, September 2002           15 .\n\n                                            UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n\n\n16 .   OIG Report No. IT/A-02-07, Information Security Program Evaluation: Broadcasting Board of Governors, September 2002\n\n\n                                     UNCLASSIFIED\n\x0c"